Several organizations expose the same IP address for most or all users. You'd be
blocking entire organizations because of one bad login.
--- Janusz_Dziado� <[EMAIL PROTECTED]> wrote:
> I think, that you should register blocked IP anyway in database. It helps to
> explain situations like below.
>
> Try to imagine situation like this:
> one user (A) really doesn't like another user (B) or system administrator
> (C). Than (A) tries to log in into his (B or C) account with bad password.
> His (B or C) account is disabled. Than A person can accuse person B or C
> that they are not work.
>
> Maybe it seems silly, but I have such not good experience.
> Machine IP from wich was maked last try to log-in may helped to explain all
> circumstances.
>
> JD
>
> ----- Original Message -----
> From: "Hookom, Jacob" <[EMAIL PROTECTED]>
> To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> Sent: Tuesday, December 16, 2003 10:46 PM
> Subject: RE: Login Security
>
>
> > Do a HashMap in the action:
> >
> > Key is username
> > Value is Integer or Date
> >
> > If ((value = map.get(key)) != null)
> > {
> > if (value instanceof Date)
> > {
> > // compare timeout dates
> > }
> > else if (value instanceof Integer)
> > {
> > if (value == 3)
> > {
> > map.put(key, new Date(deadline));
> > }
> > else
> > {
> > map.put(key, new Integer(value + 1));
> > }
> > }
> > }
> >
> >
> >
> > -----Original Message-----
> > From: Ciaran Hanley [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, December 16, 2003 3:43 PM
> > To: 'Struts Users Mailing List'
> > Subject: RE: Login Security
> >
> >
> > I am storing the username and password in a table in a mySql database.
> >
> > I think I will just add a field "last_failure" to the user table... and
> > after 3 unsuccessful attempts I will record the time in the
> > "last_failure" field and work out if the timeout has elapsed by querying
> > that field and comparing it to the current time.
> >
> > That way, I wont be using cookies, and will avoid blocking IP address.
> > Does that sound ok?
> >
> > Ciaran
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: 16 December 2003 20:46
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Login Security
> >
> > Avoid the cookie solution, it's too easy for the user to bypass your
> > security measures and as mentioned below, this solution won't work if
> > the browser has disabled cookies.
> >
> > Don't block IP addresses because they can be easily spoofed and
> > redirected. Dynamic IPs pose a problem as you could be blocking out a
> > legitimate user.
> >
> > How are you storing your list of usernames/passwords? Would it be
> > possible to add an extra bit of data next to each username/password
> > indicating when the login is valid?
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, December 16, 2003 9:09 AM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Login Security
> >
> >
> > You could put a cookie on the user's machine that expires after a
> > certain
> > period of time. Of course this only works when cookies are turned one
> > and
> > an experienced user could always manually remove their cookie.
> >
> > Another solution maybe is to get the user's IP address from the request
> > Header and add it to a list of invalid IP address with their times of
> > entry.
> > Then upon a new request, you will have to check the list and determine
> > how
> > long ago the IP address was added.
> >
> > I'm just brainstorming here so anybody can criticize these suggestions
> > freely.
> > -Jonathan
> >
> > -----Original Message-----
> > From: Ciaran Hanley [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, December 16, 2003 10:55 AM
> > To: [EMAIL PROTECTED]
> > Subject: Login Security
> >
> >
> > I'm writing a web application using JSP and Struts. I want to add a
> > security feature to my login page where if a user has three unsuccessful
> > logins they will be unable to log in for a certain period of time
> > afterwards. I can count the number of unsuccessful logins ok but how I'm
> > not sure how to give a timeout after 3 failures. Any ideas how I could
> > implement this?
> >
> > Thanks
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> > ----------------------------------------------------------------------
> > Juz czas! Wyslij kartke na swieta! >>> http://link.interia.pl/f17a4
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
